analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://cdn.discordapp.com/attachments/990932304564191292/990932484822798386/f613fe06a1f4a25e.rar

Full analysis: https://app.any.run/tasks/486ff5bc-ddf3-42d1-9864-6f4d434d5d46
Verdict: Malicious activity
Analysis date: June 27, 2022, 10:58:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

7826522E24745B274B11774A254BA6BE

SHA1:

608683776CF4C17D1D2568D8AECFBE3E0B654D79

SHA256:

8481213D27CFD61DE83D0F70B28C99AD910B92EBF2EB371026103657E238E06F

SSDEEP:

3:N8cCWdy6//txXOcX1WX3iAAavQuOn:2cry6Xt9miQpO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3544)
    • Application was dropped or rewritten from another process

      • чит на роб.exe (PID: 3764)
      • чит на роб.exe (PID: 2516)
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 4028)
    • Reads the computer name

      • WinRAR.exe (PID: 3544)
      • чит на роб.exe (PID: 3764)
      • чит на роб.exe (PID: 2516)
    • Checks supported languages

      • WinRAR.exe (PID: 3544)
      • чит на роб.exe (PID: 3764)
      • чит на роб.exe (PID: 2516)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3544)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3544)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 2464)
      • iexplore.exe (PID: 4028)
    • Checks supported languages

      • iexplore.exe (PID: 2464)
      • iexplore.exe (PID: 4028)
    • Application launched itself

      • iexplore.exe (PID: 2464)
    • Changes internet zones settings

      • iexplore.exe (PID: 2464)
    • Reads the date of Windows installation

      • iexplore.exe (PID: 2464)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 4028)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2464)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 4028)
      • iexplore.exe (PID: 2464)
    • Manual execution by user

      • чит на роб.exe (PID: 3764)
      • чит на роб.exe (PID: 2516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe no specs iexplore.exe winrar.exe чит на роб.exe no specs чит на роб.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2464"C:\Program Files\Internet Explorer\iexplore.exe" "https://cdn.discordapp.com/attachments/990932304564191292/990932484822798386/f613fe06a1f4a25e.rar"C:\Program Files\Internet Explorer\iexplore.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
4028"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2464 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3544"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\f613fe06a1f4a25e.rar"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3764"C:\Users\admin\Desktop\чит на роб.exe" C:\Users\admin\Desktop\чит на роб.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2516"C:\Users\admin\Desktop\чит на роб.exe" C:\Users\admin\Desktop\чит на роб.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
8 005
Read events
7 913
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
8
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
2464iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF24B3DA52E997263A.TMPgmc
MD5:8820025A28F23419A44F0BD48A97AFA4
SHA256:807C1CAD58599682F9B59FA5E64316D3F48AFBCAE37725268CC9F2CC3C07A455
4028iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\f613fe06a1f4a25e[1].rarcompressed
MD5:1B05FD06C0A3E5F1B8FFB3DEA5675794
SHA256:3E8587F184223BE8ADFD27C15E95FC8EA7BFC02CE0BCC2CA631297B6215E0A45
3544WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3544.17864\чит на роб.exeexecutable
MD5:F6357A8F78C5E2085CCE37C459BAAE91
SHA256:8005DE35D129235B20FB323E933486B9579230ECB54A0CEB31115B3AF06ABD59
4028iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:FC887F7C5EF1EEAE3FB3BA651F77AC36
SHA256:5F98609231B96FC1ECFEFF757089F66D6A74BBE8FED6B33D83A799790484AA56
2464iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFE5D90EB139C110D5.TMPgmc
MD5:58CC85D9D97DA0614C8CA8A0316DAF1D
SHA256:196F3D58B1B6D61A26F3F707D17D2EE19A0ADE85408B887E02D2A0BF02C16175
2464iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{0E2C97DD-F608-11EC-AE3F-12A9866C77DE}.datbinary
MD5:EA35397D113F8F81E49C8DEF8AFB6BA8
SHA256:A493489260DB7BE3F9C1E24C3AFAF6A7AB8C1DC828295660B4B246211930E9D1
4028iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:1B89EDDE1C019CE33507D67ADA1CB531
SHA256:53993BACE02B58F074107F8B11ED170B5E59833DA0594EAA8921DF3BE922BA1B
2464iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{0E2C97DF-F608-11EC-AE3F-12A9866C77DE}.datbinary
MD5:98865823D92D282E94B3FD5FC036E3E5
SHA256:9663048E0E0A3A8483C9001BAB68B94BD52F6F8B49BAAF3EE1D663770B7FA865
4028iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:BF4596687FE242A83CA595496C5AE229
SHA256:0643EA5815E3EED477B37617AF3F6201C8F7F552E7F288C11178C8E4FFC2FA32
4028iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\f613fe06a1f4a25e.rar.om6w477.partialcompressed
MD5:E05A5BE2B2B6904EDE4AEFB85A883503
SHA256:2CC79A20463556A7CF23A7F6156075B303FAEE40E1AA5D4023244397A5DA647D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
7
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4028
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
4028
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9bd51c455daa7161
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4028
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
4028
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
4028
iexplore.exe
162.159.134.233:443
cdn.discordapp.com
Cloudflare Inc
shared

DNS requests

Domain
IP
Reputation
cdn.discordapp.com
  • 162.159.135.233
  • 162.159.134.233
  • 162.159.129.233
  • 162.159.133.233
  • 162.159.130.233
shared
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
4028
iexplore.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discordapp .com)
4028
iexplore.exe
Misc activity
ET INFO Observed Discord Domain (discordapp .com in TLS SNI)
No debug info